Two Russian APT groups are exploiting a WinRAR flaw patched nearly a year ago to hit Ukraine

Two Russian state-linked hacking groups are actively exploiting a path traversal vulnerability in WinRAR that was patched nearly a year ago, using it to deploy credential-stealing malware against Ukrainian government and military targets, according to research published by Trend Micro. The flaw, tracked as CVE-2025-8088 and rated 8.4 on the CVSS scale, allows attackers to abuse NTFS Alternate Data Streams to hide malicious payloads inside archive files that appear harmless to the recipient. The patch shipped in WinRAR 7.13 on 30 July 2025, but active exploitation began at least 12 days earlier, and the two groups are still using it because WinRAR remains deeply embedded in Ukrainian organisations and update adoption has been slow.

Gamaredon, the FSB-linked group that Trend Micro tracks as Earth Dahu, is using the vulnerability as the entry point for a multi-stage infection chain. The attack begins with a spear-phishing email containing a weaponised RAR archive that exploits CVE-2025-8088 to drop an HTA file, which executes a VBScript loader called GammaPhish. That loader downloads GammaLoad, a backdoor that establishes persistence and fetches GammaSteel, the group’s primary tool for exfiltrating documents and screenshots from compromised machines.

SHADOW-EARTH-066, which Ukraine’s CERT tracks as UAC-0226, has independently converged on the same WinRAR flaw but deploys different malware. The group previously relied on malicious Excel macros to deliver its payloads, but shifted to WinRAR exploit chains after the vulnerability became available, a tactical upgrade that bypasses Microsoft’s macro-blocking defaults. Its payload is GIFTEDCROOK, an information stealer that targets saved passwords and session cookies from Chrome, Edge, Opera, and Firefox, along with documents stored on the compromised system.

The convergence of two separate Russian APT groups on a single vulnerability is notable because Gamaredon and SHADOW-EARTH-066 operate different toolchains and appear to serve different intelligence-collection objectives, yet both identified CVE-2025-8088 as the most efficient way to reach Ukrainian targets. Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord documented the campaigns in a joint analysis. Sekoia, the French threat intelligence firm, independently corroborated the Gamaredon chain and noted that the group’s targeting has remained focused on Ukrainian military, law enforcement, and government entities throughout the campaign.

A significant operational shift accompanies the exploit campaigns. Gamaredon historically used Telegram bots and channels to relay stolen data back to its operators, but the group has been migrating exfiltration to dedicated command-and-control servers since early 2026. The timing aligns with Russia’s decision to throttle Telegram traffic beginning 10 February 2026, a move confirmed by CNN and Amnesty International that disrupted the platform’s reliability inside Russia and made it a less dependable channel for covert data transfers.

RomCom, a separate Russian-speaking APT group, was the first threat actor to weaponise CVE-2025-8088, exploiting it before WinRAR released the patch. The fact that at least three distinct groups have now built exploit chains around the same bug underscores a structural problem: the gap between when patches become available and when organisations actually deploy them gives attackers a window that can stretch for months or longer. WinRAR does not update automatically in most enterprise configurations, and Ukrainian organisations operating under wartime conditions face additional barriers to routine software maintenance.

The campaigns are part of a broader pattern of Russian state-sponsored cyber operations targeting European and Ukrainian infrastructure that has intensified since the full-scale invasion in 2022. GIFTEDCROOK’s targeting of browser credentials is particularly dangerous because saved passwords and session cookies can give attackers access to email accounts, internal portals, and communication platforms without needing to crack additional authentication. Trend Micro noted that the stolen browser data often provides lateral movement opportunities that extend well beyond the initially compromised machine.

For organisations still running WinRAR 7.12 or earlier, the remediation is to update to version 7.13 or later, which has been available since July 2025. The fact that the patch has existed for nearly a year while exploitation continues is the core problem. Administrators who cannot update immediately should treat inbound RAR files with the same suspicion now applied to other archive formats that have been weaponised in recent network-edge attacks, and consider blocking NTFS Alternate Data Streams at the email gateway where possible.